Posted
by
kdawson
on Friday June 08, 2007 @07:15AM
from the winner-of-the-race-to-the-bottom dept.

Jonas Maebe writes "Someone thought up another way to profiteer from the software patent system: when a security hole is discovered, they'll try to patent the fix in order to collect money when the affected vendors close the hole in their product. The company in question is not shy about its intentions: Intellectual Weapons will only consider vulnerabilities in high-profile products from vendors with deep pockets. Let's be thankful for yet another way software patents are used to promote science and the useful arts."

"... the system takes, on average, seven years to churn out a new patent. The vendor has to have deep pockets so it can pay damages, and your solution has to be simple enough to be explained to a jury."

So,not to be TOO obvious, but...

by the time they patent it, it will be obsolete;

if its simple enough to explain to a jury, it may be too simple to patent (patents have to be for non-obvious inventions);

looks like free/libre software gets a free ride (target must have deep pockets).

You forgot about the FAT file system patent (5991517 - the '517 patent)... the one that they tried to shake down makers of portable devices and memory cards for, and it blew up in their faces [pubpat.org] with the patent being invalidated...

Hate to reply to myself, but I forgot to mention that this WAS an offensive move, because Microsoft was already planning to get into the portable player market in 2003, and being able to collect a "tax" from competitors is the same strategy SCO tried with linux.

Just one problem - how are you going to patent a patch that nobody (including yourself) has invented?

If you have invented the patch, then maybe you're in business - except that most of the time, once the source of the bug is discovered, the patch is obvious -like fixing a buffer over/underflow, or fixing a dangling pointer, and not patentable.

This is one of those ideas that isn't going to cause anyone to lose any sleep at night, except for the fools who can't sleep because they're counting their $$$$ pr

The recent supreme court case KSR v Teleflex broadened the test for obviousness a bit. KSR expanded obviousness to include stuff that is "inevitable due to market forces" or "inevitable to try by one practiced in the art" within some unknown limits.

This security bug scheme is borderline obvious under the old test. It is stunningly weak after KSR. Unless the applicant discovers the bug. Hmmmmm.... (whispers: hey f-secure, call me).

Yes. (IANAL) That's exactly what they'll do -- sue while the patent is pending. It's often cheaper to pay someone off than it is to go to court -- even MSFT has paid off patent trolls to avoid a court battle.

You can give the potential infringer notice that you have a patent application pending that covers their 'invention.' If they don't stop once you give notice, then you can collect 'reasonable royalties' from the time of your notice to them until your patent actually issues - if your patent issues. (What in the world would be 'reasonable royalties' in this case, btw? Damned if I know.) After it the patent issues, you have the normal patent remedies. Damages + a permanent injunction (which is thankfully not

Has anybody used the "software is not patentable" defense against a patent troll already? Then somebody please use it and appeal all the way up. Breyer is hinting everybody that the Supreme Court is waiting for somebody to present this to them so this defense is going to be accepted and ruled upon.

I don't oppose patents in general, just software patents. Businesses that pour tons of money in R&D to develop totally unique products (like drug companies) deserve the right to have a temporary monopoly, that's what is allowed

The line between 'software' and 'pharmaceutical' is already blurring. Once nanotech arrives, the line will be completely obliterated.

[...] under the constitution.

The Constitution doesn't mention patent law. Indeed, it horribly fails to enumerate the very right to property --

Au contraire; you can charge people for your patent from the instant that you file it, and collect the money retroactively if and when it's granted. Since these parasites have no other business, there's little point in any individual company fighting them over this. They'll get their Danegeld, make no mistake about it. [wikipedia.org]

Au contraire; you can charge people for your patent from the instant that you file it, and collect the money retroactively if and when it's granted. Since these parasites have no other business, there's little point in any individual company fighting them over this. They'll get their Danegeld, make no mistake about it.

You can only collect retroactive royalties if your patent is granted. Buffer overrun bugs have been known for decades, as have all the methods of patching them. Removing a security vulnerab

Yeah, but the 95 following days would suck, as the BSA and everyone else with a vested interest in software patents lobbies the fsck out of the Congress and waters down patent reform until it poses no threat to the file-and-sue business model.

Yeah, but the 95 following days would suck, as the BSA and everyone else with a vested interest in software patents lobbies the fsck out of the Congress and waters down patent reform until it poses no threat to the file-and-sue business model.

Apart from IBM, Texas Instruments and possibly HP everyone in the software field spends vastly more on patent licensing than they recover. Microsoft spends roughly three times as much as its licenses bring in.

Beyond that, it'd really only work with architectural security faults.You can't go out and patent "IE, but without these four buffer overflows". So 'patches' aren't at risk.Further, the concept of boxing in a software vendor with patents on architectural security improvements implies that these guys can cover a sufficiently wide range of improved architectural security implementations - which is far trickier and more expensive than the summary makes it sound. Particularly when you're trying to pin large c

Not necessarily. Some fixes can definitely meet the non-obviousness criteria. And looking for vulnerabilities which require non-obvious fixes and patenting them is a viable business model as well.In fact, there is a well known precedent, when the icmp-tcp interaction and various windowing flaws in tcp implementations were discovered around 2001(IIRC) the fixes were brainstormed at IETF and a list of suggested fixes came out. And surprise, surprise it appeared that Cisco who had the worst list of flaws and w

I for one think this is a great idea. Nothing will speed up software patent reform faster than when companies are unable to fix bugs in their products without paying. On the flip side should they succeed with this companies may see better quality control leading to increased savings in the long run, giving us all stable software from the get go. It's win-win, race to the bottom I say, make haste.

> I for one think this is a great idea. Nothing will speed up software patent reform faster than when companies are unable to fix bugs in their products> without paying.

I don't think so. Companies will just change their EULA to say that if any bugs or security vulnerabilities are found, they should be reported to the originating company and not sold for profit. Then the Company can just say that any deal with Intellectual Weapons is a violation of the EULA.

"I don't think so. Companies will just change their EULA to say that if any bugs or security vulnerabilities are found, they should be reported to the originating company and not sold for profit. Then the Company can just say that any deal with Intellectual Weapons is a violation of the EULA."They can say it. But they can't prove it.

There is no legal duty to sign an EULA and therefore the onus to prove you did it rests upon them.

The court will not be very impressed by someone trying to claim they have a con

At this point, I don't think ANYTHING can fix the U.S. patent system. The U.S. patent office simply wasn't designed to handle the modern influx of very complex patents and patent claims. It simply can't scale to the size that it needs to be to actually review and police so many patents that are so complex in nature. So they've basically just thrown up their hands and said "Let the courts work it out."

The problem with "Let the courts work it out" is that it effectively stifles the "little guy," the small company or inventor without the significant financial resources to defend his inventions in court. Any given invention or innovation today might step on dozens of vague existing patents. This has the very real effect of stifling the very innovation and invention that the patent system was designed to PROTECT, and of restricting what innovation and invention there *is* to large mega-corps that can afford to defend against multiple patent lawsuits.

Don't believe it? Just take Linux as an example. MS can afford to essentially outlaw Linux if they wanted to (only the public backlash is holding them back). And, even if every one of their patent claims against Linux is bogus, who's going to step up to the plate and put up the millions of $ needed to defend it against an avalanche of MS patent lawsuits?

> The problem with "Let the courts work it out" is that it effectively stifles the "little guy," the small company or inventor without> the significant financial resources to defend his inventions in court.This is no different than the guy who wants to make a living writing books, music, programs, making films etc. You need a lot of money to do anything nowadays, and you're totally vulnerable to big companies who can step in at the last minute and smother you with paperwork, threats of legal action a

The U.S. patent office simply wasn't designed to handle the modern influx of very complex patents and patent claims. It simply can't scale to the size that it needs to be to actually review and police so many patents that are so complex in nature. So they've basically just thrown up their hands and said "Let the courts work it out."

That's not true at all. Nobody has thrown up their hands about it, they ARE trying to get as many patents approved as possible, since this is what they get paid to do and the sys

You may be right or wrong that the patent system as a whole is flawed, but this story is about software patents. There, the fix is very simple: do not make software patentable - so that no patent is infringed by writing, distributing or running a computer program. There was never any legislation to extend the patent system to software and no economic study showing that the good effects outweigh the bad; it's mostly because the patent office took matters into its own hands (after all, if you work at the pa

The problem with "Let the courts work it out" is that it effectively stifles the "little guy," the small company or inventor without the significant financial resources to defend his inventions in court.

Exactly, because the other problem with "let the courts work it out" is that the court's stance is "the work of the USPTO is by default valid", and if you go to court against someone holding a patent, the onus is on you to prove that the patent is invalid. It's not like the court does the job of USPTO for i

MS can afford to essentially outlaw Linux if they wanted to. . . in the US.There is a whole big world out there beyond the borders of the USA, where a lot of smart people live and work, and a lot of technology and innovation is happening. If the US wants to (for whatever reason) shoot their technology industry down, that will just create a larger market and demand for the rest of the world to meet.

If you're in the US, it's probably a bad thing to hear about this sort of thing, but in the re

Don't believe it? Just take Linux as an example. MS can afford to essentially outlaw Linux if they wanted to (only the public backlash is holding them back).

Not a chance. Do you think an average Microsoft OS customer has a clue or cares in any way what they do with respect to Linux? Of course not.
Corporate sales might be hurt, or they might not. That's harder to say. However, to say that 'public backlash is the only thing holding them back' is to give yourself airs of grandiosity that you (and i) d

I agree with you wholeheartedly, but from the slightly different perspective. Things like the patent system (or DRM or privacy issues) have become so illogical that there's no way an average person can fight against the system by sane and normal means such as lawsuits, petitions, or elections. The most effective way to get rid of these stupid laws, IMHO, is by making sure that they self-destruct, i.e. become utterly ridiculous in the eyes of the media and the public. So, rejoice when people start filing patents for their navel lint or nasal hair structure. Chuckle gleefully when DRM softwares start taking people's system and create massive security holes. Cackle manically if some wiseguy sues McD for kaching-illion dollars because their "Happy Meal" didn't exactly make him happy. For remember, the candle burneth brightest before it dies out, to rehash a hoary saw. Or at least, we hope.

But they would need to be really fast to get the application in, and it would surely need not to mention the actual product, right? Because if they said "a method for preventing a macro hole in Word from executing", or something, wouldn't MS be able to sue on the grounds of reverse engineering/ copyright/ their own patents.

Not really. There has to be a quick *patent application*. Violations of the patent date from the submission of the patent. If the fix was applied before the patent was applied, that would be prior art. The patent system recognizes that patents can be violated while the patent is pending, and that the vioilation can be addressed after the patent is finally granted. (I say this as someone who's helped establish prior art and helped establish that similar technologies are not described by the same patent, not

You are being sued for patent infringement. Cancel or Allow?
best take of all.
It is difficult to dismiss the feeling that some patent lawyer snookered a client out of a fee. What are the chances of prevailing in such suit?

"A method of entering replies in to slashdot using a computer keyboard to generate alphanumeric characters which are used to create textural comments to a news item.". If *anyone* else says *anything* from now on, you have to pay me.

I know there are a lot of you out there saying: this is the kind of action that will spur congress to get off their deriere, but frankly, I can only see this as YANITC (yet another nail in the coffin).

We looked on in horror when the thought of software patents came up, and we said that surely no one would be dumb enough (or greedy enough) to do it. We were wrong...

Then there was Bezo's one-click patent and we shielded our eyes saying: the fireworks are going to start any time now... Again, however, the sky was clear and there we no signs of change on the horizon.

Then you had all the spurrious patents from SCO, Microsoft and IBM, and we thought, well maybe this time! However, as was before, so was then...

Then Microsoft threatened Linux and we said "they are running scarred!" and "no one would be dumb enough to..." They were, and they are. Not only that, but mere weeks later, you have several major contributors signing licensing deals to patent infringements that were never released. My God, that costs the companies money and they do nothing but bend over...

Today we got word of Bezo's expansion of the one-click patent, and on top of that the willingness of the USPTO to accept the patent with little to no effort. The USPTO, after all, has employees they have to pay...

And now you have this, and again we here individuals decrying the "end times" for software patents. No, that isn't going to happen. They are here to stay, because the system is working for its citizens in a very efficient way. It is just that we think that we are the citizens. Much like TV viewers or magazine subscribers think that they are the clients of the company. They aren't, they are the product.

We are the product and the consumer, but not the client of the government. The government is there to protect the interests of its citizens, it's just that its citizens have trademarked names. We have gone form Micro to Macro folks.

Excellent post. You are right, software patents aren't going anywhere. You will see more properties like this, where basic, everyday information is walled away from you. And as long as we allow congress to be bribed by lobbyists, this will continue to happen. Remember, what's good for GM is good for America. We have a long tradition of bending over for business interests.

Consider too, that many companies like Microsoft would love the chance to spend their research dollars on finding vital security hol

Well, there is one small difference that may (or may not) turn out to be important. These guys are no more constituents (I'm taking liberty with your terminology) of the government than you and I are. As far as the real constituents--Microsoft/Amazon/IBM/etc.--are concerned, Intellectual Weapon are the barbarians at the gate of the city. And if the big boys manage to swat this bug, there are a hundred more waiting in the wings now that the way has been shown.

What everyone is failing to realize is that they can only patent new methods of patching....If program Z has a bug that is fixed using some existing technique (buffer overruns where you add tighter bounds checking, maybe....fixing parameter verification with regular expressions....etc.), the patch can still go. The only time this will really matter is if the fix for the exploit involves a completely new and novel way of doing something.....and even then might require too much internal knowledge of the code

The difference here is in WHO benefits and WHO is hurt.Remember that this whole thing is being done by some small startup. Presumably they have only a venture capital budget, and no lobbyist presence, as of yet. Then remember that they're preparing to litigate against the likes of Microsoft, Sun, and IBM, all of who have real budgets and real lobbyist presences.

Whether the patent reform this engenders is the kind we'd like to see is a different question. But I'm sure this effort won't get off the starting b

If someone exploits a bug or flaw in a program's design (and just how does one define that in a precise enough fasion for a patent, anyway), I should think the most obvious thing in the world would be to fix the bug/flaw. HOW one fixes it is going to vary widely, from "opps that should have been +1 not -1" to "some guy at *UNIVERSITY* just found a new algorithm that cracks our protection, back to the drawing boards". A lot of fixes should fail instantly on the obviousness criteria - the attack itself ofte

See how my e-mail address is "armoured" ? You've only got to look for/\{([^}]+)\}\s*\{ta\}\s*\{([^}]+)/ and then $email = (reverse split "", $2) . "\@" . reverse split "", $1; . All the others are left as an exercise for the reader.

By the way, if you're reading this in the future, the armouring may have changed so as this won't make sense anymore.

Assuming this organization gets off the ground, I wonder if there would be any grounds for a lawsuit against them for "damages sustained" while a vendor is arguing over the price for a fix. For example, if the vendor wished to create a fix for me but couldn't because this organization was giving them grief, could I or my customers sue because of losses sustained due to the vulnerability. What if the breached caused directly traceable bodily injury (someone breaking into a system used by law enforcement, h

'' Assuming this organization gets off the ground, I wonder if there would be any grounds for a lawsuit against them for "damages sustained" while a vendor is arguing over the price for a fix. ''

I would be more wondering whether they would go to jail immediately, as the information in the patent application, which has to be publicly available, will give hackers the means to attack machines, and publishing such information seems to be for example against British laws.

Has anyone noticed that patents may well be the farming and agriculture of the 21st century? Allow me to explain.

During the shift to urbanization, it was common for individuals to keep cattle, chickens, pigs and sheep in the city. The animals would be allowed to roam free and would then be captured and slaughter/sheered as was necessary. It was subsistence living in an urban environment where barter was VERY common.

However, as time went on, factories and other places of employment found that they couldn't get enough workers for the lower level jobs. Why would the poor go work there in a crappy environment, when they could breed their cattle and chickens for rent and food?

So these companies petitioned the government to disallow animals, citing disease and the cause (and to some degree, this was true, especially with large amounts of fecal matter in the city -- but then not everyone had plumbing either). This in turn caused people to starve and move to these companies to be paid in "money".

Now, however, we have patents. Patents force the little guy out of the market (let's face it, no individual can afford to beat MS, IBM, Monsanto, et al in a court where lawyers form 99.9% of your chances) Small companies are forced out of business and big companies get to take over. The small companies are the only real thorn in the side of the bigger ones as they might offer a product that revolutionizes the field, but ends up costing a major conglomerate billions to redevelop their products). So patents force them out of business, causing the owners to work for the mega-corp and thus give the mega-corp control.

Perhaps in a few years, everyone will be working for a mega-corp and that will define our identities. We are theirs after all...

The small companies are the only real thorn in the side of the bigger ones as they might offer a product that revolutionizes the field, but ends up costing a major conglomerate billions to redevelop their products). So patents force them out of business, causing the owners to work for the mega-corp and thus give the mega-corp control.Perhaps in a few years, everyone will be working for a mega-corp and that will define our identities. We are theirs after all...

Come on people. Nothing indicates this "company" is anything more than a single guy putting up a website on a lark, either purely for Slashdot hits or to make a point about the patent system. The whole idea is wildly impractical (what are these magic methods they say they'll use to expedite the patent process?), and a real company would privately hire their own security researchers instead of announcing their plans in detail to the public.

Nothing indicates this "company" is anything more than a single guy putting up a website on a lark, either purely for Slashdot hits or to make a point about the patent system.

I agree. That there is no information about the people involved is the first tip off that this is either a gag or something put together by unscrupulous folks who are looking to obtain security vulnerabilities from nitwits. This is certainly not a legitimate law firm.

I frequently post about Intellectual Property in threads like this. Usually I get some responses saying that I'm full of it, and companies wouldn't slash our throats and bleed us dry. I have four words for you:

Are you convinced yet?

There are too many market pressures on monopolizing ideas. A monopoly on an idea gives you an excellent competitive advantage. For some goods, say a book, a copyright is neccessary for you to take a risk and publish the book. For others, it lets you invent things like a cotton gin and make money off of it while being a good citizen and showing the world how it works, and what new technologies you have invented. On the whole, these are to the public's advantage when used wisely.

But a monopoly is always a competitive advantage, even when it isn't in the public's advantage. And currently, business lobbies are pushing to allow more and more kinds of monopolies because they make business sense. Granted, plot patents, business patents, process patents, software patents, copyright on 3 note sequences, etc, etc, etc are not in the public's interest, as we don't carry massive IP portfolios to cross-license or lawyers to fight with. But they do allow large companies to create a massive barrier to entry that only certain industries or monopolies enjoyed before.

There is money to be made in massively expanding the definition of IP to include all ideas. There is more money in eternally owning ideas than in all of the property rights or mineral rights in the solar system. This fight will not be over in our lifetimes.

One thing I noticed reading the site is that the researcher who submits the vulnerability report gets a share of the net profit not the gross income or a guaranteed fee. This is a standard Hollywood tactic to avoid paying the people who do the real work. All the gross income gets eaten up in various expenses so there is little or no net profit.

The researcher also has to trust the company not to just steal their information by claiming someone who wishes to remain anonymous has already reported that vulnera

This sort of thing is the reason why I have retained a patent lawyer who, the day the "first to file" change is passed into law [businessweek.com], will put in an application for a business method patent. The brief, non-legalese version basically covers the business model of suing over patents which the owning company does not themselves utilize. (That way, I can sue into oblivion any business attempting craziness like this.)

I think the patent system is absurd, but this strikes me as a good use for it. Right now, vendors absolve themselves of any responsibility and think they have a right to get free reports and bug fixes from users. In fact, they have even created the impression that it is blackmail when bug reporters ask for money for their discoveries.

As I see it, if this company gets away with it, either, big companies will improve the quality of their software so that they have fewer vulnerabilities in the first place, or they will start to push for weakening software patents. Either way, everybody wins.

Seriously though folks. I'd be worried about this and thinking the world is coming to an end if I thought there was any chance that this sort of thing could even happen. Obviousness, the backed-up patent system in this decaying republic, derivative work... people have already brought all these things up. At the risk of sounding repetitive, though, I'm going to say this is a worthless pipe dream if it's

Patents are a crappy way to lock up the fix for a vulnerability. 10 years from now, it's vanishingly unlikely that your discovery will still be relevant. If it is, you've got better things to do with it than sell it to bottom-feeders.

Here's a better idea: copyright law. Copyright is immediate.

Here's what you do:

Find a vulnerability --- anything; say, memory corruption in some OS service --- and devise a third-party patch for it.

Publish the patch. Only the patch.

But before you do, wrap the patch up in a DRM scheme. An in-kernel, interrupt-hooking virtual machine with an encrypted instruction set should do nicely. It's worth the work; you'll be doing this over and over again. You want people to sweat to figure out how your patch works.

Alert the world to your discovery. You're a hero! You can root any computer on the Internet!

Don't publish the details of the vulnerability. No, wait, don't even allow the details to be published. If anyone figures out how your patch works, sue them under the DMCA. Especially if it's the vendor.

The vendor will, of course, claim they have the right to reverse-engineer your "intellectual property" for security and interoperability purposes. Let the courts decide. In the mean time: nice of them to establish some precedent.

Points to anyone who can prove to me that this doesn't qualify as "responsible disclosure".

This is an attempt to become John Smith's Landlord. (John Smith is one of the classic philosophers who defined capitalism.) In his book "The Wealth of Nations," he defined the landlord as a class of people who collected rent as an attempt to live without doing work. Now, Intellectual Weapons is trying to figure out a way to use the legal system so they can gain income without doing real work.

This approach seems unlikely to work. Patent holders win huge jury awards because they, in the jury's eyes, have been legitimately wronged. In this case, the jury may see the vendor as the one being exploited.

They just have to guess what the patch will do. Remember the Amazon 1-click patent is not specific to an implementation. Its just the idea of 1-click with some obvious ground rules. The current patent system will allow stupid patents like this.

Every time the come up with a DRM method, they also patent every circumvention method they can think of. That way, nobody can legally create a "decoder" for their wares. Sneaky, tehy are. It really adds weight to the idea of "produce in commercial quantities or default to statutory licensing set by the government."